Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

How to configure a local Splunk Enterprise instance as both a forwarder and indexer?

0

Hi,

I have installed Splunk Enterprise version locally and configured the below from Splunk Web.1-forwarding host:port, (localhost:9997)2-receiving port to match with the same port.(9997)3- Data input to point to a directory (c:\data)

I don't see any data in search and reporting, even on adding files to the directory (c:\data)

Can I not use the same local instance as both a forwarder and indexer?

People who like this

1 Answer

By default every Splunk instance can monitor the data locally (technically forwarder's functionality). Since you want to index the data locally and not to send/forward to any other indexer instance, you don't need to configure forwarding OR receiving. Just setup the data input and you should be good to go.

Thanks a lot for the response. I am configuring using the UI. I added a directory in data input section and restarted splunk, but when i go to search and reporting section i dont see any data. Could you please let me know if i need to do any other configuration?

I would check few things1) check if the data input is listed under data inputs and is in enabled state.2) If you've access to the server, run following to see of the file that you posted has been monitored by Splunk OR not. $SPLUNK_HOME/bin/splunk.exe list monitor

3) Since you added the data input from the UI, check if you're monitoring a file OR the directory (check in data input page). I'm guessing it would monitoring a specific file, so you would have to update the inputs.conf on the server to monitor the folder4) check timestamp on the events in the file. and see if it's within the retention period of the index that you're using.

I might check the index/sourcetype being used in the search to see if it matches the values from data input

Thanks for the response. On running listmonitor i get below entry.Monitored Files: $SPLUNK_HOME\etc\splunk.version C:\SplunkDir Please can you let me know where is inputs.conf and what to change it to make it a folder?